Wednesday, August 29, 2012

When you go to a social gathering where everyone is wearing handwritten name tags, has it ever occurred to you that the name on their badge might not actually be theirs? You probably have considered that, for example, the person wearing a badge that says "HELLO MY NAME IS... Acme Corp" probably doesn't have that name on their birth certificate, but if it says "HELLO MY NAME IS... Stef Hopkins" you should treat it with the same amount of skepticism. Their name might actually be Stephanie, or something completely different like Priscilla Smith.

The same is true for other technologies that we sometimes trust to give us information. Just because technology has told us who the message or incoming call is from doesn't mean that the technology is accurate. It's displaying the name tag it has been given.

Why you can't trust Caller ID

Most phones default to showing their actual phone number in the Caller ID field on mobile phones and phones with displays, but the number can be changed. That's for two legitimate reasons:

Sometimes companies or individuals want their calls to be returned to another number (such as a company main number or switchboard)

Some phones aren't phones at all, but a set of headphones connected to the internet, or one of many phones on a switchboard. Therefore it may not have a callback phone number. Just because it doesn't have a source phone number doesn't mean your phone company won't put the call through.

Though this is allowed because there are legitimate reasons to do this, it's an opportunity for malicious or at least decivious people to change the phone number displayed. For that reason, Caller ID should never be used as evidence in a court of law that the phone number came from a certain location, and you should always treat Caller ID as a hint about who the caller is rather than as a telephone trace.

Caller ID is easily fooled, with just a little more knowledge than it takes to handwrite a name tag.

Why you can't trust the From field on email

During the setup of your email program, you are prompted to enter a username, a password, an email address, and your full name. Most people never give this a second thought, but if you're providing a username and password, why couldn't the email address and full user name be grabbed from the account? That's because just like Caller ID, there are legitimate reasons for the displayed email address and name to be different from the real source email address:

The account may not have an email address, or be sending an email from a web form tool, so the preferred From address would be a customer service alias or the email address of the tool's developer.

The sender may prefer that all email comes from a company alias and not expose their direct address.

Friends and family sometimes tell me someone must have broken into their email account because someone else received a message from them that they never sent. The reality is that since the From field of an email can be filled in with almost anything, there are many tools to grab random names and addresses so that decivious or malicious people can send messages without revealing their true name.

Just because someone received a virus or a scam email from your email address does not necessarily mean that the virus has ever been able to send from your computer or your account.